build: use libpathrs by default

.cirrus.yml

@@ -13,7 +13,8 @@ task:
     CIRRUS_WORKING_DIR: /home/runc
     GO_VER_PREFIX: "1.25."
     BATS_VERSION: "v1.12.0"
-    RPMS: gcc git-core iptables jq glibc-static libseccomp-devel make criu fuse-sshfs container-selinux policycoreutils
+    LIBPATHRS_VERSION: "0.2.4"
+    RPMS: gcc git-core iptables jq glibc-static libseccomp-devel make criu fuse-sshfs container-selinux policycoreutils cargo lld wget
     # yamllint disable rule:key-duplicates
     matrix:
       - DISTRO: almalinux-8
@@ -63,6 +64,9 @@ task:
       dnf -y install criu
     esac
 
+    # Install libpathrs.
+    /home/runc/script/build-libpathrs.sh "$LIBPATHRS_VERSION" /usr
+
     # Install Go.
     URL_PREFIX="https://go.dev/dl/"
     # Find out the latest minor release URL.

.github/workflows/test.yml

@@ -15,6 +15,7 @@ permissions:
   contents: read
 
 env:
+  LIBPATHRS_VERSION: "0.2.4"
   # Don't ignore C warnings. Note that the output of "go env CGO_CFLAGS" by default is "-g -O2", so we keep them.
   CGO_CFLAGS: -g -O2 -Werror
 
@@ -26,6 +27,7 @@ jobs:
       matrix:
         os: [ubuntu-24.04, ubuntu-24.04-arm]
         go-version: [1.24.x, 1.25.x, 1.26.x]
+        libpathrs: ["libpathrs", ""]
         rootless: ["rootless", ""]
         race: ["-race", ""]
         criu: ["", "criu-dev"]
@@ -75,7 +77,19 @@ jobs:
     - name: install deps
       run: |
         sudo apt update
-        sudo apt -y install libseccomp-dev sshfs uidmap
+        sudo apt -y install libseccomp-dev sshfs uidmap lld
+
+    - name: install libpathrs ${{ env.LIBPATHRS_VERSION }}
+      if: ${{ matrix.libpathrs != '' }}
+      run: |
+        sudo -E PATH="$PATH" ./script/build-libpathrs.sh "$LIBPATHRS_VERSION" /usr
+
+    - name: configure custom BUILDTAGS
+      if: ${{ matrix.libpathrs == '' }}
+      run: |-
+        # Strip out libpathrs from the default buildtags.
+        CUSTOM_BUILDTAGS="$(make -pn | sed -En '/^BUILDTAGS :?=/ { s/.*=// ; s/\blibpathrs\b//p }')"
+        echo "CUSTOM_BUILDTAGS=$CUSTOM_BUILDTAGS" >>"$GITHUB_ENV"
 
     - name: install CRIU
       if: ${{ matrix.criu == '' }}
@@ -107,7 +121,11 @@ jobs:
         check-latest: true
 
     - name: build
-      run: sudo -E PATH="$PATH" make EXTRA_FLAGS="${{ matrix.race }}" all
+      run: |
+        sudo -E PATH="$PATH" make \
+            ${CUSTOM_BUILDTAGS:+BUILDTAGS="$CUSTOM_BUILDTAGS"} \
+            EXTRA_FLAGS="${{ matrix.race }}" \
+            all
 
     - name: Setup Bats and bats libs
       uses: bats-core/bats-action@4.0.0
@@ -126,7 +144,7 @@ jobs:
 
     - name: unit test
       if: matrix.rootless != 'rootless'
-      run: sudo -E PATH="$PATH" -- make TESTFLAGS="${{ matrix.race }}" localunittest
+      run: sudo -E PATH="$PATH" -- make ${CUSTOM_BUILDTAGS:+BUILDTAGS="$CUSTOM_BUILDTAGS"} TESTFLAGS="${{ matrix.race }}" localunittest
 
     - name: add rootless user
       if: matrix.rootless == 'rootless'
@@ -136,7 +154,7 @@ jobs:
 
     - name: integration test (fs driver)
       continue-on-error: ${{ matrix.criu != '' }} # Don't let criu-dev errors fail CI.
-      run: sudo -E PATH="$PATH" script -e -c 'make local${{ matrix.rootless }}integration'
+      run: sudo -E PATH="$PATH" script -e -c 'make ${CUSTOM_BUILDTAGS:+BUILDTAGS="$CUSTOM_BUILDTAGS"} local${{ matrix.rootless }}integration'
 
     - name: integration test (systemd driver)
       continue-on-error: ${{ matrix.criu != '' }} # Don't let criu-dev errors fail CI.
@@ -147,7 +165,7 @@ jobs:
         printf "[Service]\nDelegate=yes\n" | sudo tee /etc/systemd/system/user@.service.d/delegate.conf
         sudo systemctl daemon-reload
         # Run the tests.
-        sudo -E PATH="$PATH" script -e -c 'make RUNC_USE_SYSTEMD=yes local${{ matrix.rootless }}integration'
+        sudo -E PATH="$PATH" script -e -c 'make RUNC_USE_SYSTEMD=yes ${CUSTOM_BUILDTAGS:+BUILDTAGS="$CUSTOM_BUILDTAGS"} local${{ matrix.rootless }}integration'
 
   # We need to continue support for 32-bit ARM.
   # However, we do not have 32-bit ARM CI, so we use i386 for testing 32bit stuff.
@@ -170,7 +188,23 @@ jobs:
         sudo add-apt-repository -y ppa:criu/ppa || sudo add-apt-repository -y ppa:criu/ppa
         # apt-add-repository runs apt update so we don't have to.
 
-        sudo apt -qy install libseccomp-dev libseccomp-dev:i386 gcc-multilib libgcc-s1:i386 criu
+        GCC_VERSION="$(gcc -dumpversion)"
+        sudo apt -qy install \
+          lld criu \
+          libseccomp-dev libseccomp-dev:i386 \
+          libc-dev:i386 libgcc-s1:i386 libgcc-${GCC_VERSION}-dev:i386 gcc-i686-linux-gnu
+
+        # When cross-compiling, GCC 13 and earlier will look for a linker that
+        # is marked for cross-compilation, which the Ubuntu lld package doesn't
+        # provide. The solution is to create a symlink ourselves. GCC 14 fixed
+        # this, see <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111605>.
+        ln -sv "$(which ld.lld)" /usr/local/bin/i686-linux-gnu-ld.lld
+    - run: rustup target add i686-unknown-linux-gnu
+
+    - name: install libpathrs ${{ env.LIBPATHRS_VERSION }}
+      run: |
+        sudo -E PATH="$PATH" ./script/build-libpathrs.sh "$LIBPATHRS_VERSION" /usr 386
+        sudo ldconfig /usr/386/lib
 
     - name: install go
       uses: actions/setup-go@v6
@@ -179,6 +213,9 @@ jobs:
         check-latest: true
 
     - name: unit test
+      env:
+        CC: i686-linux-gnu-gcc
+        PKG_CONFIG_PATH: /usr/386/lib/pkgconfig
       run: sudo -E PATH="$PATH" -- make GOARCH=386 localunittest
 
   fedora:

.github/workflows/validate.yml

@@ -8,11 +8,14 @@ on:
       - release-*
   pull_request:
   workflow_dispatch:
-env:
-  GO_VERSION: 1.25
+
 permissions:
   contents: read
 
+env:
+  GO_VERSION: 1.25
+  LIBPATHRS_VERSION: "0.2.4"
+
 jobs:
   keyring:
     runs-on: ubuntu-24.04
@@ -85,7 +88,10 @@ jobs:
       - name: install deps
         run: |
           sudo apt update
-          sudo apt -y install libseccomp-dev
+          sudo apt -y install libseccomp-dev lld
+      - name: install libpathrs ${{ env.LIBPATHRS_VERSION }}
+        run: |
+          sudo -E PATH="$PATH" ./script/build-libpathrs.sh "$LIBPATHRS_VERSION" /usr
       - name: compile with no build tags
         run: make BUILDTAGS=""
       - name: compile with runc_nocriu build tag

CHANGELOG.md

@@ -46,6 +46,23 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   particularly useful and was completely obsoleted by the changes to
   `/proc/self/exe` sealing we introduced in runc [1.2.0][]. (#5141)
 
+### Changed ###
+- Our release binaries and default build configuration now use [libpathrs][] by
+  default, providiung better hardening against certain kinds of attacks. Users
+  of runc should not see any changes as a result of this, but pacakgers will
+  need to adjust their packaging accordingly. runc can still be built without
+  libpathrs (by building without the `libpathrs` build tag), but we currently
+  plan to make runc 1.6 *require* libpathrs. (#5103)
+- Previously we made an attempt to make our `runc.armhf` release binaries work
+  with ARMv6 (which would allow runc to work on the original Raspberry Pi).
+  Unfortunately, this has effectively always been broken (because we
+  cross-compile `libseccomp` within a Debian container and statically link to
+  it) and so we are now officially matching [the Debian definition of `armhf`][debian-armhf]
+  (that is, ARMv7). (#5103)
+
+[libpathrs]: https://github.com/cyphar/libpathrs
+[debian-armhf]: https://wiki.debian.org/ArmHardFloatPort
+
 ## [1.4.0] - 2025-11-27
 
 > 路漫漫其修远兮，吾将上下而求索！

Dockerfile

@@ -1,18 +1,22 @@
 ARG GO_VERSION=1.25
 ARG BATS_VERSION=v1.12.0
 ARG LIBSECCOMP_VERSION=2.6.0
+ARG LIBPATHRS_VERSION=0.2.4
 
-FROM golang:${GO_VERSION}-bookworm
+FROM golang:${GO_VERSION}-trixie
 ARG DEBIAN_FRONTEND=noninteractive
-ARG CRIU_REPO=https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_12
+ARG CRIU_REPO=https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_13
 
 RUN KEYFILE=/usr/share/keyrings/criu-repo-keyring.gpg; \
     wget -nv $CRIU_REPO/Release.key -O- | gpg --dearmor > "$KEYFILE" \
     && echo "deb [signed-by=$KEYFILE] $CRIU_REPO/ /" > /etc/apt/sources.list.d/criu.list \
-    && dpkg --add-architecture i386 \
+    && printf "%s\n" i386 armel armhf arm64 ppc64el s390x riscv64 | xargs -t -n1 -- dpkg --add-architecture \
     && apt-get update \
     && apt-get install -y --no-install-recommends \
         build-essential \
+        cargo \
+        cargo-auditable \
+        clang \
         criu \
         gcc \
         gcc-multilib \
@@ -22,20 +26,21 @@ RUN KEYFILE=/usr/share/keyrings/criu-repo-keyring.gpg; \
         iptables \
         jq \
         kmod \
+        lld \
         pkg-config \
         python3-minimal \
         sshfs \
         sudo \
         uidmap \
         iproute2 \
     && apt-get install -y --no-install-recommends \
-        libc-dev:i386 libgcc-s1:i386 \
-        gcc-aarch64-linux-gnu libc-dev-arm64-cross \
-        gcc-arm-linux-gnueabi libc-dev-armel-cross \
-        gcc-arm-linux-gnueabihf libc-dev-armhf-cross \
-        gcc-powerpc64le-linux-gnu libc-dev-ppc64el-cross \
-        gcc-s390x-linux-gnu libc-dev-s390x-cross \
-        gcc-riscv64-linux-gnu libc-dev-riscv64-cross \
+        libc-dev:i386 libgcc-s1:i386 gcc-i686-linux-gnu libstd-rust-dev:i386 \
+        gcc-aarch64-linux-gnu libc-dev-arm64-cross libstd-rust-dev:arm64 \
+        gcc-arm-linux-gnueabi libc-dev-armel-cross libstd-rust-dev:armel \
+        gcc-arm-linux-gnueabihf libc-dev-armhf-cross libstd-rust-dev:armhf \
+        gcc-powerpc64le-linux-gnu libc-dev-ppc64el-cross libstd-rust-dev:ppc64el \
+        gcc-s390x-linux-gnu libc-dev-s390x-cross libstd-rust-dev:s390x \
+        gcc-riscv64-linux-gnu libc-dev-riscv64-cross libstd-rust-dev:riscv64 \
     && apt-get clean \
     && rm -rf /var/cache/apt /var/lib/apt/lists/* /etc/apt/sources.list.d/*.list
 
@@ -54,14 +59,25 @@ RUN cd /tmp \
     && ./install.sh /usr/local \
     && rm -rf /tmp/bats-core
 
+ARG RELEASE_ARCHES="386 amd64 arm64 armel armhf ppc64le riscv64 s390x"
+ENV DYLIB_DIR=/opt/runc-dylibs
+
 # install libseccomp
 ARG LIBSECCOMP_VERSION
-COPY script/seccomp.sh script/lib.sh /tmp/script/
-RUN mkdir -p /opt/libseccomp \
-    && /tmp/script/seccomp.sh "$LIBSECCOMP_VERSION" /opt/libseccomp 386 amd64 arm64 armel armhf ppc64le riscv64 s390x
+COPY script/build-seccomp.sh script/lib.sh /tmp/script/
+RUN mkdir -p $DYLIB_DIR \
+    && /tmp/script/build-seccomp.sh "$LIBSECCOMP_VERSION" $DYLIB_DIR $RELEASE_ARCHES
 ENV LIBSECCOMP_VERSION=$LIBSECCOMP_VERSION
-ENV LD_LIBRARY_PATH=/opt/libseccomp/lib
-ENV PKG_CONFIG_PATH=/opt/libseccomp/lib/pkgconfig
+
+# install libpathrs
+ARG LIBPATHRS_VERSION
+COPY script/build-libpathrs.sh /tmp/script/
+RUN mkdir -p $DYLIB_DIR \
+    && /tmp/script/build-libpathrs.sh "$LIBPATHRS_VERSION" $DYLIB_DIR $RELEASE_ARCHES
+ENV LIBPATHRS_VERSION=$LIBPATHRS_VERSION
+
+ENV LD_LIBRARY_PATH=$DYLIB_DIR/lib
+ENV PKG_CONFIG_PATH=$DYLIB_DIR/lib/pkgconfig
 
 # Prevent the "fatal: detected dubious ownership in repository" git complain during build.
 RUN git config --global --add safe.directory /go/src/github.com/opencontainers/runc

Makefile

@@ -12,7 +12,7 @@ GIT_BRANCH_CLEAN := $(shell echo $(GIT_BRANCH) | sed -e "s/[^[:alnum:]]/-/g")
 RUNC_IMAGE := runc_dev$(if $(GIT_BRANCH_CLEAN),:$(GIT_BRANCH_CLEAN))
 PROJECT := github.com/opencontainers/runc
 EXTRA_BUILDTAGS :=
-BUILDTAGS := seccomp urfave_cli_no_docs
+BUILDTAGS := seccomp urfave_cli_no_docs libpathrs
 BUILDTAGS += $(EXTRA_BUILDTAGS)
 
 COMMIT := $(shell git describe --dirty --long --always)

README.md

@@ -112,6 +112,7 @@ make EXTRA_BUILDTAGS="runc_nocriu"
 | Build Tag     | Feature                               | Enabled by Default | Dependencies        |
 |---------------|---------------------------------------|--------------------|---------------------|
 | `seccomp`     | Syscall filtering using `libseccomp`. | yes                | `libseccomp`        |
+| `libpathrs`   | Use [`libpathrs`][] for path safety.  | yes                | [`libpathrs`][]     |
 | `runc_nocriu` | **Disables** runc checkpoint/restore. | no                 | `criu`              |
 
 The following build tags were used earlier, but are now obsoleted:
@@ -120,6 +121,8 @@ The following build tags were used earlier, but are now obsoleted:
  - **apparmor** (since runc v1.0.0-rc93 the feature is always enabled)
  - **selinux**  (since runc v1.0.0-rc93 the feature is always enabled)
 
+[`libpathrs`]: https://github.com/cyphar/libpathrs
+
 ### Running the test suite
 
 `runc` currently supports running its test suite via Docker.

go.mod

@@ -28,7 +28,7 @@ require (
 )
 
 require (
-	cyphar.com/go-pathrs v0.2.1 // indirect
+	cyphar.com/go-pathrs v0.2.4 // indirect
 	github.com/cilium/ebpf v0.17.3 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect

go.sum

@@ -1,5 +1,5 @@
-cyphar.com/go-pathrs v0.2.1 h1:9nx1vOgwVvX1mNBWDu93+vaceedpbsDqo+XuBGL40b8=
-cyphar.com/go-pathrs v0.2.1/go.mod h1:y8f1EMG7r+hCuFf/rXsKqMJrJAUoADZGNh5/vZPKcGc=
+cyphar.com/go-pathrs v0.2.4 h1:iD/mge36swa1UFKdINkr1Frkpp6wZsy3YYEildj9cLY=
+cyphar.com/go-pathrs v0.2.4/go.mod h1:y8f1EMG7r+hCuFf/rXsKqMJrJAUoADZGNh5/vZPKcGc=
 github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/checkpoint-restore/go-criu/v7 v7.2.0 h1:qGiWA4App1gGlEfIJ68WR9jbezV9J7yZdjzglezcqKo=
 github.com/checkpoint-restore/go-criu/v7 v7.2.0/go.mod h1:u0LCWLg0w4yqqu14aXhiB4YD3a1qd8EcCEg7vda5dwo=